<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
    <title>ActionView::Helpers::SanitizeHelper</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <link rel="stylesheet" href="../../../css/reset.css" type="text/css" media="screen" />
<link rel="stylesheet" href="../../../css/main.css" type="text/css" media="screen" />
<link rel="stylesheet" href="../../../css/github.css" type="text/css" media="screen" />
<script src="../../../js/jquery-1.3.2.min.js" type="text/javascript" charset="utf-8"></script>
<script src="../../../js/jquery-effect.js" type="text/javascript" charset="utf-8"></script>
<script src="../../../js/main.js" type="text/javascript" charset="utf-8"></script>
<script src="../../../js/highlight.pack.js" type="text/javascript" charset="utf-8"></script>

</head>

<body>     
    <div class="banner">
        
            <span>Ruby on Rails v4.0.0</span><br />
        
        <h1>
            <span class="type">Module</span> 
            ActionView::Helpers::SanitizeHelper 
            
        </h1>
        <ul class="files">
            
            <li><a href="../../../files/actionpack/lib/action_view/helpers/sanitize_helper_rb.html">actionpack/lib/action_view/helpers/sanitize_helper.rb</a></li>
            
        </ul>
    </div>
    <div id="bodyContent">
        <div id="content">
  
    <div class="description">
      
<p>The <a href="SanitizeHelper.html">SanitizeHelper</a> module provides a set
of methods for scrubbing text of undesired <a
href="../../HTML.html">HTML</a> elements. These helper methods extend
Action View making them callable within your template files.</p>

    </div>
  


  


  
  


  


  
    <!-- Method ref -->
    <div class="sectiontitle">Methods</div>
    <dl class="methods">
      
        <dt>S</dt>
        <dd>
          <ul>
            
              
              <li>
                <a href="SanitizeHelper.html#method-i-sanitize">sanitize</a>,
              </li>
            
              
              <li>
                <a href="SanitizeHelper.html#method-i-sanitize_css">sanitize_css</a>,
              </li>
            
              
              <li>
                <a href="SanitizeHelper.html#method-i-strip_links">strip_links</a>,
              </li>
            
              
              <li>
                <a href="SanitizeHelper.html#method-i-strip_tags">strip_tags</a>
              </li>
            
          </ul>
        </dd>
      
    </dl>
  

  



  

    

    

    


    


    <!-- Methods -->
        
      <div class="sectiontitle">Instance Public methods</div>
      
        <div class="method">
          <div class="title method-title" id="method-i-sanitize">
            
              <b>sanitize</b>(html, options = {})
            
            <a href="SanitizeHelper.html#method-i-sanitize" name="method-i-sanitize" class="permalink">Link</a>
          </div>
          
          
            <div class="description">
              <p>This <code>sanitize</code> helper will html encode all tags and strip all
attributes that aren’t specifically allowed.</p>

<p>It also strips href/src tags with invalid protocols, like javascript:
especially. It does its best to counter any  tricks that hackers may use,
like throwing in unicode/ascii/hex values to get past the javascript:
filters. Check out the extensive test suite.</p>

<pre>&lt;%= sanitize @article.body %&gt;</pre>

<p>You can add or remove tags/attributes if you want to customize it a bit.
See <a href="../Base.html">ActionView::Base</a> for full docs on the
available options. You can add tags/attributes for single uses of
<code>sanitize</code> by passing either the <code>:attributes</code> or
<code>:tags</code> options:</p>

<p>Normal Use</p>

<pre>&lt;%= sanitize @article.body %&gt;</pre>

<p>Custom Use (only the mentioned tags and attributes are allowed, nothing
else)</p>

<pre>&lt;%= sanitize @article.body, tags: %w(table tr td), attributes: %w(id class style) %&gt;</pre>

<p>Add table tags to the default allowed tags</p>

<pre class="ruby"><span class="ruby-keyword">class</span> <span class="ruby-constant">Application</span> <span class="ruby-operator">&lt;</span> <span class="ruby-constant">Rails</span><span class="ruby-operator">::</span><span class="ruby-constant">Application</span>
  <span class="ruby-identifier">config</span>.<span class="ruby-identifier">action_view</span>.<span class="ruby-identifier">sanitized_allowed_tags</span> = <span class="ruby-string">'table'</span>, <span class="ruby-string">'tr'</span>, <span class="ruby-string">'td'</span>
<span class="ruby-keyword">end</span>
</pre>

<p>Remove tags to the default allowed tags</p>

<pre class="ruby"><span class="ruby-keyword">class</span> <span class="ruby-constant">Application</span> <span class="ruby-operator">&lt;</span> <span class="ruby-constant">Rails</span><span class="ruby-operator">::</span><span class="ruby-constant">Application</span>
  <span class="ruby-identifier">config</span>.<span class="ruby-identifier">after_initialize</span> <span class="ruby-keyword">do</span>
    <span class="ruby-constant">ActionView</span><span class="ruby-operator">::</span><span class="ruby-constant">Base</span>.<span class="ruby-identifier">sanitized_allowed_tags</span>.<span class="ruby-identifier">delete</span> <span class="ruby-string">'div'</span>
  <span class="ruby-keyword">end</span>
<span class="ruby-keyword">end</span>
</pre>

<p>Change allowed default attributes</p>

<pre class="ruby"><span class="ruby-keyword">class</span> <span class="ruby-constant">Application</span> <span class="ruby-operator">&lt;</span> <span class="ruby-constant">Rails</span><span class="ruby-operator">::</span><span class="ruby-constant">Application</span>
  <span class="ruby-identifier">config</span>.<span class="ruby-identifier">action_view</span>.<span class="ruby-identifier">sanitized_allowed_attributes</span> = <span class="ruby-string">'id'</span>, <span class="ruby-string">'class'</span>, <span class="ruby-string">'style'</span>
<span class="ruby-keyword">end</span>
</pre>

<p>Please note that sanitizing user-provided text does not guarantee that the
resulting markup is valid (conforming to a document type) or even
well-formed. The output may still contain e.g. unescaped ‘&lt;’, ‘&gt;’,
‘&amp;’ characters and confuse browsers.</p>
            </div>
          
          
          
          
          
            
            <div class="sourcecode">
              
              <p class="source-link">
                Source: 
                <a href="javascript:toggleSource('method-i-sanitize_source')" id="l_method-i-sanitize_source">show</a>
                
                  | <a href="https://github.com/rails/rails/blob/c71c8a962353642ee44b5cc6ed68dc18322eea72/actionpack/lib/action_view/helpers/sanitize_helper.rb#L59" target="_blank" class="github_url">on GitHub</a>
                
              </p>
              <div id="method-i-sanitize_source" class="dyn-source">
                <pre><span class="ruby-comment"># File actionpack/lib/action_view/helpers/sanitize_helper.rb, line 59</span>
<span class="ruby-keyword">def</span> <span class="ruby-keyword ruby-title">sanitize</span>(<span class="ruby-identifier">html</span>, <span class="ruby-identifier">options</span> = {})
  <span class="ruby-keyword">self</span>.<span class="ruby-identifier">class</span>.<span class="ruby-identifier">white_list_sanitizer</span>.<span class="ruby-identifier">sanitize</span>(<span class="ruby-identifier">html</span>, <span class="ruby-identifier">options</span>).<span class="ruby-identifier">try</span>(<span class="ruby-value">:html_safe</span>)
<span class="ruby-keyword">end</span></pre>
              </div>
            </div>
            
          </div>
        
        <div class="method">
          <div class="title method-title" id="method-i-sanitize_css">
            
              <b>sanitize_css</b>(style)
            
            <a href="SanitizeHelper.html#method-i-sanitize_css" name="method-i-sanitize_css" class="permalink">Link</a>
          </div>
          
          
            <div class="description">
              <p>Sanitizes a block of CSS code. Used by <code>sanitize</code> when it comes
across a style attribute.</p>
            </div>
          
          
          
          
          
            
            <div class="sourcecode">
              
              <p class="source-link">
                Source: 
                <a href="javascript:toggleSource('method-i-sanitize_css_source')" id="l_method-i-sanitize_css_source">show</a>
                
                  | <a href="https://github.com/rails/rails/blob/c71c8a962353642ee44b5cc6ed68dc18322eea72/actionpack/lib/action_view/helpers/sanitize_helper.rb#L64" target="_blank" class="github_url">on GitHub</a>
                
              </p>
              <div id="method-i-sanitize_css_source" class="dyn-source">
                <pre><span class="ruby-comment"># File actionpack/lib/action_view/helpers/sanitize_helper.rb, line 64</span>
<span class="ruby-keyword">def</span> <span class="ruby-keyword ruby-title">sanitize_css</span>(<span class="ruby-identifier">style</span>)
  <span class="ruby-keyword">self</span>.<span class="ruby-identifier">class</span>.<span class="ruby-identifier">white_list_sanitizer</span>.<span class="ruby-identifier">sanitize_css</span>(<span class="ruby-identifier">style</span>)
<span class="ruby-keyword">end</span></pre>
              </div>
            </div>
            
          </div>
        
        <div class="method">
          <div class="title method-title" id="method-i-strip_links">
            
              <b>strip_links</b>(html)
            
            <a href="SanitizeHelper.html#method-i-strip_links" name="method-i-strip_links" class="permalink">Link</a>
          </div>
          
          
            <div class="description">
              <p>Strips all link tags from <code>text</code> leaving just the link text.</p>

<pre class="ruby"><span class="ruby-identifier">strip_links</span>(<span class="ruby-string">'&lt;a href=&quot;http://www.rubyonrails.org&quot;&gt;Ruby on Rails&lt;/a&gt;'</span>)
<span class="ruby-comment"># =&gt; Ruby on Rails</span>

<span class="ruby-identifier">strip_links</span>(<span class="ruby-string">'Please e-mail me at &lt;a href=&quot;mailto:me@email.com&quot;&gt;me@email.com&lt;/a&gt;.'</span>)
<span class="ruby-comment"># =&gt; Please e-mail me at me@email.com.</span>

<span class="ruby-identifier">strip_links</span>(<span class="ruby-string">'Blog: &lt;a href=&quot;http://www.myblog.com/&quot; class=&quot;nav&quot; target=\&quot;_blank\&quot;&gt;Visit&lt;/a&gt;.'</span>)
<span class="ruby-comment"># =&gt; Blog: Visit.</span>
</pre>
            </div>
          
          
          
          
          
            
            <div class="sourcecode">
              
              <p class="source-link">
                Source: 
                <a href="javascript:toggleSource('method-i-strip_links_source')" id="l_method-i-strip_links_source">show</a>
                
                  | <a href="https://github.com/rails/rails/blob/c71c8a962353642ee44b5cc6ed68dc18322eea72/actionpack/lib/action_view/helpers/sanitize_helper.rb#L94" target="_blank" class="github_url">on GitHub</a>
                
              </p>
              <div id="method-i-strip_links_source" class="dyn-source">
                <pre><span class="ruby-comment"># File actionpack/lib/action_view/helpers/sanitize_helper.rb, line 94</span>
<span class="ruby-keyword">def</span> <span class="ruby-keyword ruby-title">strip_links</span>(<span class="ruby-identifier">html</span>)
  <span class="ruby-keyword">self</span>.<span class="ruby-identifier">class</span>.<span class="ruby-identifier">link_sanitizer</span>.<span class="ruby-identifier">sanitize</span>(<span class="ruby-identifier">html</span>)
<span class="ruby-keyword">end</span></pre>
              </div>
            </div>
            
          </div>
        
        <div class="method">
          <div class="title method-title" id="method-i-strip_tags">
            
              <b>strip_tags</b>(html)
            
            <a href="SanitizeHelper.html#method-i-strip_tags" name="method-i-strip_tags" class="permalink">Link</a>
          </div>
          
          
            <div class="description">
              <p>Strips all <a href="../../HTML.html">HTML</a> tags from the
<code>html</code>, including comments. This uses the html-scanner tokenizer
and so its <a href="../../HTML.html">HTML</a> parsing ability is limited by
that of html-scanner.</p>

<pre class="ruby"><span class="ruby-identifier">strip_tags</span>(<span class="ruby-string">&quot;Strip &lt;i&gt;these&lt;/i&gt; tags!&quot;</span>)
<span class="ruby-comment"># =&gt; Strip these tags!</span>

<span class="ruby-identifier">strip_tags</span>(<span class="ruby-string">&quot;&lt;b&gt;Bold&lt;/b&gt; no more!  &lt;a href='more.html'&gt;See more here&lt;/a&gt;...&quot;</span>)
<span class="ruby-comment"># =&gt; Bold no more!  See more here...</span>

<span class="ruby-identifier">strip_tags</span>(<span class="ruby-string">&quot;&lt;div id='top-bar'&gt;Welcome to my website!&lt;/div&gt;&quot;</span>)
<span class="ruby-comment"># =&gt; Welcome to my website!</span>
</pre>
            </div>
          
          
          
          
          
            
            <div class="sourcecode">
              
              <p class="source-link">
                Source: 
                <a href="javascript:toggleSource('method-i-strip_tags_source')" id="l_method-i-strip_tags_source">show</a>
                
                  | <a href="https://github.com/rails/rails/blob/c71c8a962353642ee44b5cc6ed68dc18322eea72/actionpack/lib/action_view/helpers/sanitize_helper.rb#L80" target="_blank" class="github_url">on GitHub</a>
                
              </p>
              <div id="method-i-strip_tags_source" class="dyn-source">
                <pre><span class="ruby-comment"># File actionpack/lib/action_view/helpers/sanitize_helper.rb, line 80</span>
<span class="ruby-keyword">def</span> <span class="ruby-keyword ruby-title">strip_tags</span>(<span class="ruby-identifier">html</span>)
  <span class="ruby-keyword">self</span>.<span class="ruby-identifier">class</span>.<span class="ruby-identifier">full_sanitizer</span>.<span class="ruby-identifier">sanitize</span>(<span class="ruby-identifier">html</span>)
<span class="ruby-keyword">end</span></pre>
              </div>
            </div>
            
          </div>
                    </div>

    </div>
  </body>
</html>    